Internet security system

ABSTRACT

Methods and apparatus, including computer program products, implementing and using techniques for processing a data packet in a packet forwarding device. A data packet is received. A virtual local area network destination is determined for the received data packet, and a set of rules associated with the virtual local area network destination is identified. The rules are applied to the data packet. If a virtual local area network destination has been determined for the received data packet, the data packet is output to the destination, using the result from the application of the rules. If no destination has been determined, the data packet is dropped. A security system for partitioning security system resources into a plurality of separate security domains that are configurable to enforce one or more policies and to allocate security system resources to the one or more security domains, is also described.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.09/967,893 filed, Sep. 27, 2001, the disclosure of which is incorporatedherein by reference, which claims the benefit of prior U.S. provisionalapplication 60/280,684, filed Mar. 30, 2001.

BACKGROUND

The invention relates to an Internet security system. The growth of theInternet and high-traffic web sites that require high performance andhigh bandwidth networks have resulted in an increased number ofso-called service providers, including Internet data centers,application service and security service providers. A service provider,including an Internet data center, provides network resources, one ormore dedicated servers and, in some cases, physical space, to hostservices for a number of customers, usually for a fee. Conventionally,service providers must install and configure one or more dedicatedservers to support each customer and will likely require complexnetworks to manage separate services for the service provider's customerbase. In this environment, the customer typically has someadministrative control of the servers and control of the contentresiding on the servers. An Internet data center typically provides thenetwork, network access, hardware, software and infrastructure needed topower the service, including web site, managed security, and so on.

An exemplary view of the organization of a conventional Internet datacenter is shown in FIG. 1. In the present example, the Internet datacenter (100) has a number of customers A, B, C, D. The Internet datacenter (100) shown in FIG. 1 is set up for four customers only, while inreality a data center may host hundreds or potentially thousands ofusers. Each customer has one or more dedicated servers (105), adedicated firewall (110) and one or more switches (115) that are allconnected and form a subnet (120) for that particular customer. Thesubnets (120) are coupled together in the core switch fabric (125),which in turn forms an interface to the Internet.

The conventional model for organizing an Internet data center requiresthat a separate firewall device be deployed every time a new customerjoins the Internet data center, which may require networkre-configuration, and be a labor intensive and costly task. In thisenvironment, the staff at the Internet data center must separatelyconfigure, upgrade, manage and support each firewall device separately.The conventional way for organizing Internet data centers also requiresa heavy need for physical rack space to accommodate the physicalinstallation of separate firewall and other networking devices uponwhich the provider's services are hosted. As a result of the largeamount of separate equipment, the wiring and related switching androuting infrastructure becomes complex. If a firewall fails, it will becostly to repair or replace and the down time the client experiencesbefore his or her firewall has been repaired or replaced may beconsiderable. The down time can be reduced if redundant boxes areprovided, but this solution leads in turn to increased cost, space,maintenance and wiring problems, and is therefore not a desirablesolution

SUMMARY

In general, in one aspect, this invention provides methods andapparatus, including computer program products, implementing and usingtechniques for processing data packets transferred over a network. Thedata processing system includes a firewall engine that can receive a setof firewall policies and apply the firewall policies to a data packet,an authentication engine that can receive a set of authenticationpolicies and authenticate a data packet in accordance with theauthentication policies, one or more virtual private networks that eachhave an associated destination address and policies and a controllerthat can detect an incoming data packet, examine the incoming datapacket for a virtual private network destination address and identifythe policies associated with the virtual private network destination. Ifthe policies include firewall policies, then the controller can call thefirewall engine and apply the set of firewall policies corresponding tothe virtual private network destination to the data packet. If thepolicies include authentication policies, then the controller can callthe authentication engine and apply the set of authentication policiescorresponding to the virtual private network destination to the datapacket. The controller can also route the data packet to the virtualprivate network containing the data packet's destination address.

Advantageous implementations can include one or more of the followingfeatures. The controller can route the data packet by reading a set ofentries in a private routing table and outputting the data packet to itsvirtual private network destination address using a routing protocolassociated with the packet's virtual private network destinationaddress.

In general, in one aspect, this invention provides methods andapparatus, including computer program products, implementing and usingtechniques for processing a data packet in a packet forwarding device. Adata packet is received and a virtual local area network destination isdetermined for the received data packet, including identifying a set ofrules that are associated s with the virtual local area networkdestination. The set of rules is applied to the data packet and if avirtual local area network destination has been determined for thereceived data packet, the data packet is output to its virtual localarea network destination, using the result from the application of therules. If a virtual local area network destination has not beendetermined for the received data packet, the data packet is dropped.

Advantageous implementations can include one or more of the followingfeatures. A traffic policy can be applied to the received data packet,the traffic policy being associated with the packet forwarding deviceand applied to all data packets processed by the packet forwardingdevice. Determining a virtual local area network destination can includeextracting layer information from the data packet and using theextracted layer information to determine a virtual local area networkdestination for the data packet. The layer information can include layer2 information, layer 3 information, layer 4 information and layer 7information. Applying the rules to the data packet can include shapingthe data packet based on the virtual local area network destination anddiscarding the data packet if no virtual local area network destinationis determined. Shaping the data packet can include attaching a digitaladdress tag to the data packet, the digital address tag identifying avirtual local area network destination. The digital address tag can beread and the data packet can be output using the digital address tagcontent.

Applying the rules to the data packet can include applying a set ofrules selected from network address translation, mobile internetprotocol, virtual internet protocol, user authentication and URLblocking. Applying the rules to the data packet can include applying aset of policies selected from incoming policies and outgoing policiesfor a virtual local area network destination. Entries from one or moreof a global address book, a private address book, and a global servicebook can be received and applying the rules to the data packet caninclude using the retrieved entries.

Available resources for outputting the data packet to the virtualprivate network destination can be determined, wherein the resources aredefinable by a user. Outputting the data packet can include outputtingthe data packet to a determined virtual private network destination inaccordance with the determined available resources. Applying the rulesto the data packet can include applying a set of virtual tunneling rulesfor a virtual local area network destination, whre the tunneling rulesare selected from PPTP, L2TP and IPSec tunneling protocols. Outputtingthe data packet can include reading a set of entries in a privaterouting table and if a virtual local area network destination has beendetermined for the received data packet, outputting the data packet toits virtual local area network destination using a routing protocol forthe packet's virtual local area network destination. A set of rulesconfigured by a user can be received.

In general, in one aspect, this invention provides methods andapparatus, including computer program products, implementing and usingtechniques for screening data packets transferred over a network. Aconnection to one or more virtual local area networks is established. Aset of firewall configuration settings are associated with each of theone or more virtual local area networks. An incoming data packet isreceived. The incoming data packet is screened in accordance with a setof firewall configuration settings and the screened data packet isoutput to a particular virtual local area network among the one or morevirtual local area networks, based on the result of the screening.

In general, in one aspect, this invention provides methods andapparatus, including computer program products, implementing and usingtechniques for transferring packets of data. One or more packetprocessing engines can receive an incoming packet of data, apply aglobal traffic policy to the incoming packet, classify the incomingpacket including determining a virtual local area network destination,shape the incoming packet based on the virtual local area networkdestination and output the shaped packet.

Advantageous implementations can include one or more of the followingfeatures. One or more switches can be connected to the packet processingengine by a trunk cable to receive the shaped packet from the packetprocessing engine through the trunk cable, determine a destinationdevice to which the shaped packet is to be routed and switch the shapedpacket to a communication link that is connected to the destinationdevice. The trunk cable can be a VLAN cable. A first packet processingengine of the one or more packet processing engines can be connected toa first switch of the one or more switches, and cross connected to atleast a second switch of the one or more switches and a second packetprocessing engine of the one or more packet processing engines can beconnected to the second switch of the one or more switches and crossconnected to at least the first switch of the one or more switches.

Each of the first and second switches can connect to one or morecommunication links, each communication link representing a virtuallocal area network destination. A trunk cable can connect a switch and apacket processing engine. One or more virtual local area networks(VLANs) can be connected to the one or more switches via a communicationlink dedicated for the virtual local area network. Outputting the packetcan include outputting the shaped packet to its virtual local areanetwork destination through a destination port on the packet processingengine, the destination port connecting the packet processing engine viaa communication link to a destination device.

One or more virtual local area networks (VLANs) can be connected to adestination port on the packet processing engine via a communicationlink dedicated for the virtual local area network. Each packetprocessing engine can perform one or more functions that areconfigurable for each virtual local area network.

In general, in one aspect, this invention provides methods andapparatus, including computer program products, implementing and usingtechniques for providing a security system including security systemresources including firewall services and a controller that canpartition the security system resources into a plurality of separatesecurity domains. Each security domain can be configurable to enforceone or more policies relating to a specific subsystem, and to allocatesecurity system resources to the one or more security domains.

Advantageous implementations can include one or more of the followingfeatures. The security system can allocate security system resources toa specific subsystem. The specific subsystem can be a computer network.The specific subsystem can be a device connected to a computer network.Each security domain can include a user interface for viewing andmodifying a set of policies relating to a specific subsystem. Thesecurity system resources can include authentication services. Thesecurity system resources can include virtual private network (VPN)services. The security system resources can include traffic managementservices. The security system resources can include encryption services.The security system resources can include one or more of administrativetools, logging, counting, alarming and notification facilities, andresources for setting up additional subsystems.

A management device can provide a service domain, the service domainbeing configurable to enforce one or more policies for all securitydomains. The management device can include a user interface for viewing,adding and modifying any set of policies associated with any specificsubsystem and the set of policies associated with the service domain.The service domain can include a global address book. Each set ofsecurity domain policies can include one or more policies for incomingdata packets, policies for outgoing packets, policies for virtualtunneling, authentication policies, traffic regulating policies andfirewall policies. The policies for virtual tunneling can be selectedfrom the group consisting of PPTP, L2TP and IPSec tunneling protocols.One or more of the security domains can include a unique address book.

The invention can be implemented to realize one or more of the followingadvantages. A single security device can be used to manage security formultiple customers, Each customer has their own unique security domainwith an address book and policies for management of content. Each domainis separately administrated. One customer's policies do not interferewith the other customers' policies. Additionally, attacks on onecustomer's domain will not have any influence on the functionality ofother domains. To each customer, the firewall and any virtual privatenetworks (VPNs) appear to be hosted on a discrete device, just like theconventional systems. For an Internet data center that employs theInternet security system in accordance with the invention, a number ofbenefits may result. Instead of upgrading and managing one device foreach customer, a single device can be upgraded and managed for severalcustomers. Less rack space will be required, since fewer devices arenecessary, and as a consequence, the wiring scheme will be lesscomplicated. The cost of deployment will be lower, the networkcomplexity and requirements will be reduced, and higher performancethroughput will be possible,

The details of one or more embodiments of the invention are set forth inthe accompanying drawings and the description below. Other features andadvantages of the invention will become apparent from the description,the drawings, and the claims.

DESCRIPTION OF DRAWINGS

FIG. 1 is a schematic view of a prior art security system configurationfor an Internet data center.

FIG. 2 is a schematic view of an Internet security system in accordancewith the invention.

FIG. 3 is a schematic view of an Internet security system in accordancewith an alternative implementation of the invention.

FIG. 4 is a schematic view of an Internet security system in accordancewith another alternative implementation of the invention.

FIG. 5 is a flowchart showing a data packet processing method inaccordance with the invention.

FIG. 6 is a flowchart detailing one implementation of the packetclassification step in FIG. 5.

FIG. 7 is a flowchart detailing one implementation of the packetclassification step in FIG. 5.

FIG. 8 is a flowchart detailing a alternative implementation of thepacket classification step in FIG. 5.

FIG. 9 is a schematic block diagram showing a more detailed view of thesecurity device in FIG. 3.

Like reference symbols in the various drawings indicate like elements.

DETAILED DESCRIPTION

An Internet security system in accordance with the invention provides amulti-customer, multi-domain architecture that allows service providers,such as Internet data centers, application infrastructure providers andmetropolitan area network providers to manage the security needs ofmultiple customers through one centralized system. The inventiveInternet security system also allows service provider and end usercustomers to create and manage separate security domains, each domainacting as a stand alone system and having its own set of policies. Theinventive Internet security system accomplishes this through uniquearchitecture and software features that can be referred to as VirtualSystems. The Internet security system will be described by way ofexample. Three different exemplary architectures will be described withreference to FIGS. 2-4. After the architectural system description ofeach implementation, the data flow through the system will be described.Finally, the user interface and a number of customizable functions ofthe Internet security system will be presented.

Internet Security System Using Virtual Local Area Networks

As shown in FIG. 2, the Internet security system (200) in accordancewith one implementation of the invention includes a first 100/1000router switch (205) that connects a firewall device (210) to theInternet (215). The firewall device (210) acts as a common firewall forall the customers, and can be separately configured to fit eachcustomer's policies and security needs. How the separate configurationsare done will be explained in further detail below. On the secure sideof the firewall device (210) is a Virtual Local Area Network (VLAN)trunk (220) that carries all packets to a second 100/1000 switch (225).A VLAN is a Layer 2 multiplexing technique that allows several streamsof data to share the same physical medium, such as a trunk cable, whileenjoying total segregation. The second switch (225) directs the packetson private links to the different customers' servers (230) through a10/100 switch (235) for each customer.

An incoming data packet from the Internet (215) first passes the routerswitch (205) and enters the firewall device (210). The firewall device(210) determines what VLAN the packet is intended for and attaches aVLAN tag to the packet. In one implementation, the tag that is used is a802.1Q tag. The 802.1Q VLAN tag requires 12 bits in the Ethernet packetheader to hold the tag, and is defined in the 802.3ac Ethernet frameformat standard ratified in 1998. The 802.3ac Ethernet frame formatstandard is supported by most backbone switches fabricated since theratification of the standard. There are two ways to attach a tag to adata packet; implicit tagging and explicit tagging. The implicit taggingmethod assigns a tag to untagged data packets, typically based on whichport the data packet came from. The implicit tagging method allowstraffic coming from devices not supporting VLAN tagging to be implicitlymapped into different VLANs. The explicit tagging method requires thateach data packet be tagged with the VLAN to which the data packetbelongs. The explicit tagging method allows traffic coming fromVLAN-aware devices to explicitly signal VLAN membership.

The packet then continues on VLAN trunk (220) to the VLAN switch (225),where the tag attached to the packet by the firewall device (210) isread. Based on the VLAN tag, the packet is routed by the VLAN switch(225) to the appropriate switch (235) and server (230). The operation ofthe firewall device (210) will be described in more detail below.

Internet Security System Using Port-Based Virtual Local Area Networks

Another implementation of the invention is shown in FIG. 3, which showsessentially the same architecture as shown for the Internet securitysystem in FIG. 2. The difference is that the firewall device (210) hasbeen replaced with a firewall device (305) with port-based VLAN. Fromeach port in the firewall with the port based VLAN, there is a privatelink (310) to each customer, switch (315) and server (320). The system(300) does not include the VLAN trunk or the second 100/1000 switch ofthe Internet security system implementation shown in FIG. 2.

An incoming data packet from the Internet (325) first passes the routerswitch (330) and enters the firewall device (305). The firewall device(305) determines what system the packet is intended for. Instead ofattaching a VLAN tag to the packet, the firewall device directs thepacket to the proper dedicated port for the VLAN. The packet thencontinues on the selected private link (310) to the switch (315) andserver (320) for the selected VLAN.

FIG. 9 shows a more detailed view of the Internet security system ofFIG. 3, and in particular of the firewall device (305). The firewalldevice (305) includes functionality not conventionally included in afirewall and can therefore be referred to more generally as a securitysystem or a data processing system. The security system has a number ofengines, such as a firewall engine (905), an authentication engine(910), and optionally other engines. A user interface (985) is alsoprovided in the security system, which allows a user to set differentpolicies for the different engines. The different engines communicatewith each other through a bus (920). A user can set firewall policiesfor the firewall, such as incoming policies and outgoing policies for avirtual local area network destination, and authentication policies forthe authentication engine, such as network address translation, mobileInternet protocol, virtual Internet protocol, user authentication andURL blocking.

When a packet comes in, a controller (915) detects the packet. Thecontroller is connected to the bus (920) and can communicate with theengines. Also connected to the bus (920) is a set of virtual privatenetworks (925-940), that each are connected to a network, optionallythrough one or more switches (315). The exemplary networks shown in FIG.9 include two DMZs (Demilitarized Zones) (965, 970), an extranet (975)and a general population net (980). Each of the virtual private networks(VPNs), has an associated destination address and policies. After thepacket has been detected by the controller (915), the controller (915)examines the data packet for a virtual private network destinationaddress and identifies the policies that are associated with the virtualprivate network destination. If the policies include firewall policies,the controller (915) calls the firewall engine (905), which applies theset of firewall policies corresponding to the virtual private networkdestination to the data packet. If the policies include authenticationpolicies, the controller (915) calls the authentication engine (910),which applies the set of authentication policies corresponding to thevirtual private network destination to the data packet. After therespective engine has applied the policies, the data packet is routed tothe virtual private network corresponding to the data packet'sdestination address. How the incoming data packet is examined will bedescribed in greater detail below.

The security system as a whole thus has a finite amount of securitysystem resources, including firewall and authentication services. Thecontroller partitions the security system resources into a number ofseparate security domains, each security domain being related to aprivate or public network. Each security domain is configurable toenforce one or more policies relating to a specific subsystem ornetwork. The controller allocates security system resources to the oneor more security domains based on the needs of the respective securitydomain, by calling the different engines, as described above. Instead ofthe static resource allocation in conventional Internet security systemswith one security device or firewall per client, as was described in thebackground section above, the inventive Internet security systemprovides dynamic resource allocation on a as needed basis for thedifferent virtual private networks and associated systems.

The security system resources can include a wide range of resources,such as authentication services, virtual private network (VPN) services,include traffic management services, encryption services, administrativetools, logging, counting, alarming and notification facilities, andresources for setting up additional subsystems.

Internet Security System Using Virtual Local Area Networks with HighAvailability

Yet another implementation of the invention is shown in FIG. 4, whichshows an Internet security system architecture (400) similar to thatshown in FIG. 2. However, in order to provide the ability to accommodatemore traffic and to provide higher availability in the event ofequipment failure, the system provides dual firewalls (405, 410) anddual second switches (415, 420). The first switches have been replacedwith switch/routers (425, 430) that can direct incoming traffic toeither firewall (405, 410). Each firewall is connected to both secondswitches (415, 420) through VLAN trunks (435), and each of the secondswitches is connected to all the customer switches (440) by privatelinks (445). The cross connection scheme ensures that an alternate routefor data packages will be available, even in the event of componentfailure, and a high availability is thereby ensured.

An incoming data packet from the Internet arrives at one of the routerswitches (425, 430). The router switch decides what firewall device(405, 410) to send the packet to, based on which firewall devicecurrently has most available capacity and sends the packet to thatfirewall device. Just like the above-described implementation shown inFIG. 2, the firewall device (405, 410) determines what VLAN the packetis intended for, and attaches a VLAN tag to the packet. The packet thencontinues on VLAN trunk (435) to the VLAN switch (415, 420) with themost available capacity, where the tag attached to the packet by thefirewall device (405, 410) is read. Based on the VLAN tag, the packet isrouted by the VLAN switch (415, 420) through a private link (445) to theappropriate switch (440) and server (450).

Packet Classification and Context Partition

The following example describes a process for classifying and sendingout an incoming packet to the appropriate virtual system using thefirewall device in the Internet security system in accordance with theinvention. As shown in FIG. 5, a process (500) for classifying andsending out an incoming data packet begins with receiving a data packet(505). In the present example, the data packet is assumed to come from atrusted host. Data packets that are received from an untrusted host willbe treated somewhat differently, which will be described below.

Once the data packet has been received, the layer 2 (L2) information andthe layer 3 (L3) information is extracted from the packet (510). The L2information includes: Interface Number and VLAN ID. The L3 informationincludes IP head or information.

After the L2 and L3 information has been extracted, one or more globaltraffic policies are applied to the packet (515). The global trafficpolicies apply to all virtual system domains in the Internet securitysystem.

When the global traffic policies have been applied, the packet goesthrough a classification (520) to find a Virtual System Context. Thevirtual system context is an object containing all the configurationparameters for the virtual system to which the packet is destined. Thepacket classification is based a combination of the interface, VLAN IDand/or L3/L4 (that is, TCP/UDP port) information. In a simpleconfiguration, Interface and VLAN ID will be sufficient, while in a morecomplicated configuration, all the information listed above is necessaryto locate the right context. The packet classification step is essentialfor the method and will be described in further detail below after theoverall data packet processing procedure has been described.

The procedure then checks if a virtual system context has been found(525). If no virtual system context can be found, the packet is droppedand the event is logged (530). If a virtual system context has beenfound, the packet will be subjected to firewall/VPN/traffic shapingprocessing (535), in the same way as the packet would be processed on astand-alone device. After the firewall/VPN/traffic shaping processingthe procedure transforms the packet into an egress packet, and the L2information is encapsulated (540) before the packet is transmitted outthrough a designated interface port to the proper Virtual privatenetwork, which completes the procedure.

If the incoming packet comes from an untrusted interface, the processingis somewhat different than when the packet originates at a trustedinterface. The different processing is necessary because an untrustedinterface may be shared among several virtual systems. Therefore, thepacket classification step (520) will, optionally, use more information,such as tunnel identifications for protocols such as IPSEC, L2TP. When atunnel has been identified, the virtual system context can beidentified, and the packet can pass to the Firewall/VPN/Traffic shapingstep (535).

For non-tunnel traffic, a policy-based and session-based look-up tablemay be used to identify a virtual system context for the traffic from anuntrusted interface. In the packet classification step (520), the packetwill be subject to a global policy in order to identify if there is asession anywhere in the whole security system that matches with thepacket. If such a session exists, the context point in the sessionrecord informs the security system about which virtual system context isthe correct one. If there is no session match, but there is a policythat matches the packet, then that policy will point to the propervirtual system context for continued processing.

The classification step (520) described above determines to whichvirtual system the incoming data packet is destined. The classificationstep (520) will now be described in more detail with reference to FIGS.6-8 that show in greater what happens to the data packet during theclassification. Conceptually, the Internet security system in accordancewith the invention can be viewed as processes in an operating system,the primary difference being that processes in an operating system areevent driven, while the Internet security system is packet driven. Whenthe Internet security system receives an incoming data packet, thesystem needs to classify the packet based on information contained inthe packet and on the policies that have been configured for the system.When the packet has been classified, the virtual system context to whichthe packet belongs is found, and the packet is passed to the associatedvirtual system context for further processing. From the point of view ofthe virtual system, the packet appears to have originated in one of thevirtual interfaces configured for the virtual system.

The classification of the incoming packet is made based on informationfrom layer 2 (L2), layer 3 (L3), layer 4 (L4) and layer 7 (L7)information. The classification may be made based on one or more layers.For example, in a simple configuration, a virtual system using VLAN toseparate different secure domains, the VLAN ID in the VLAN Ethernetpacket is sufficient to classify the packet and identify the destinationvirtual system context. This is referred to as simple classification. Anexemplary process for simple classification is shown in FIG. 6, wherethe L2 information is extracted (605), the virtual interface table issearched with the VLAN ID and the interface number (610). Based on theVLAN ID and the interface number, the process can determine whether avirtual system context has been found (615). If no virtual systemcontext can be found, then the simple classification is not sufficient(620), and if a virtual system context can be found, then the simpleclassification is sufficient (625).

In an Internet security system with shared outside identity, a sessiondatabase is used along with L2, L3 and L4 information to identify thecorrect virtual system. This is referred to as multi-layerclassification. A process for multi-layer classification is shown inFIG. 7, where the L2 information (705), the L3 information (710) and theL4 information is extracted (715), before the session database issearched (720). Based on the L2, L3 and L4 information and theinformation in the session database, the process can determine whether avirtual system context has been found (725). If no virtual systemcontext can be found, then the multi-layer classification is notsufficient (730), and if a virtual system context can be found, then themulti-layer classification is sufficient (735).

When complicated applications with dynamic port session (such as, FTP,RPC, H.323, and so on) are involved, a dynamic session database, alongwith L2, L3, L4, and L7 (application layer) information are used toidentify the virtual system context. This is referred to as L7classification. A process for L7 classification is shown in FIG. 8,where the L2 (805), the L3 (810), the L4 (815) and the L7 information isextracted (820) before the dynamic session database is searched (825).Based on the L2, L3, L4, and L7 information and the dynamic sessiondatabase, the process can determine whether a virtual system context hasbeen found (830). If no virtual system context can be found, then thesimple classification is not sufficient (835), and if a virtual systemcontext can be found, then the simple classification is sufficient(840). Each of the simple, multi-layer or L7 classification can beperformed by itself, or the processes can be performed in series, goingfrom the simple classification, through the multi-layer classificationto the L7 classification until the packet has been classified and avirtual system context has been identified.

The virtual systems are created through configuration of the Internetsecurity system in real time or at start up with a saved configurationscript. A system administrator creates virtual system context under aroot privilege, and assigns certain attributes to the context. Thesystem resources are now partitioned to support the new virtual system.A virtual system user can then log in to the system and will only seehis or her virtual system, as if the user owned the whole system. Avirtual system owner then can add, change and remove differentattributes on the context. Once submitted, all attributes will be savedas configuration data for the Internet security system and be used topartition resources, change the global classification policy, and so on.How the Internet security system and individual virtual systems can beconfigured will be discussed in further detail below.

Configuring an Internet Security System

The description will now continue with an example showing how toconfigure an Internet security system in accordance with the invention,and showing three different examples of the user interfaces: one for aroot level configuration, one where a root user creates a virtual systemand adds configuration data, and one where a virtual system user logs into a virtual system and changes configuration data.

First, a root user (that is, a system administrator for the wholeInternet security system) with the user name “Netscreen” logs in to thesystem by entering the username and a password:

login: Netscreen

password:

ns1000->

The root user is now logged on and can access the root level interfaceconfiguration to view the different user interfaces that are present onthe system. The command ‘get interface,’ for example, yields thefollowing five interfaces, shown in Table 1 below.

TABLE 1 User interfaces present on the Internet Security System NameStat IP Address Subnet Mask MAC/VLAN/VSYS Manage IP Trust Down10.1.1.250 255.255.255.0 0010.dbf.1000 0.0.0.0 Trust/1 Down 11.1.1.250255.255.255.0 Nat/trust.100(100)/NULL 0.0.0.0 Untrust Down 192.1.1.250255.255.255.0 0010.dbf0.1001 Mgt Up 0.0.0.0 0.0.0.0 0010.dbf0.1002192.168.1.1 Ha Down 0.0.0.0 0.0.0.0 0010.dbf0.1004 192.168.1.1

The root user can view the root level address entry configuration withthe command ‘get address’ which yields the trusted, untrusted, andvirtual addresses shown in Table 2 below:

TABLE 2 Trusted, Untrusted, and Virtual Addresses Name Address NetmaskFlag Comments Trusted Individual Addresses: Inside 0.0.0.0 0.0.0.0 02All trusted Any addr. T11net 11.1.1.0 255.255.255.0 00 UntrustedIndividual addresses: Outside 0.0.0.0 0.0.0.0 03 All Any Untrusted AddrDial-Up 255.255.255.255 255.255.255.255 03 Dial-Up VPN VPN Addr u-199net199.1.1.0 255.255.255.0 01 Virtual Individual Addresses: All 0.0.0.00.0.0.0 12 All Virtual Virtual Addr Ips

The root user can view the Virtual Private Network configuration bytyping the command ‘get vpn’ which yields the virtual private networkconfiguration in Table 3 below. Here, there is only one VPN setting forthe system.

TABLE 3 VPN systems for the Internet Security System Local Remote NameGateway SPI SPI Algorithm Monitor m-t11- 192.2.1.250 00001234 00004321Esp:3des/null Off u199 Total manual VPN: 1

To view the access policy configuration, the root user types the command‘get policy’ which yields the three policies shown in Table 4 below forthe root system.

TABLE 4 Policies for the root system in the Internet Security System PIDDirection Source Destination Service Action STLC 0 Outgoing T-11netu-199net Any Tunnel — 1 Incoming U-199net t-11net Any Tunnel — 2 InsideAny Outside Any Permit —

The description will now continue with explaining how the root user cancreate a new virtual system named “marketing” and configure that system.The root user first adds the virtual system “marketing” to the Internetsecurity system.

ns1000-> set vsys marketing

The root user then adds configuration data to the newly created system“marketing” by first adding two virtual interfaces for the “marketing”system. Note how the prompt has changed to indicate that the root useris working in the “marketing ” system.

ns1000(marketing)-> set interface trust/200 ip 20.1.1.250 255.255.255.0tag 200

ns1000(marketing)-> set interface untrust/200 ip 193.1.1.250255.255.255.0 tag 200

The next configuration to update is to add a virtual system privateaddress entry to the “marketing” system.

ns1000(marketing)-> set address trust t-20net 20.1.1.64 255.255.255.128

The root user then adds a MIP attribute to the private virtualinterface, as well as two incoming/outgoing policies.

ns1000(marketing)-> set interface untrust/200 mip 193.1.1.241 host20.1.1.40

ns1000(marketing)-> set policy incoming out-any mip(193.1.1.241) httppermit

ns1000(marketing)-> set policy outgoing t-20net out-any any permit auth

Next, the root user can verify the interface configuration settings bytyping the command ‘get interface’. As shown above, the ‘get interface’command yields the virtual interfaces for the current system. Since thecurrent system is the “marketing” system, the root user will only seetwo virtual interfaces crated above, as shown in Table 5 below.

TABLE 5 Virtual interfaces for the “marketing” virtual system ManageName Stat IP Address Subnet Mask MAC/VLAN/VSYS IP Trust/200 Down20.1.1.250 255.255.255.0 Nat/trust.200(200)/marketing Trust/200 Down193.1.1.250 255.255.255.0 Route/untrust.200(200)/ marketing

As described above, the root user can see the virtual system addressconfiguration for the “marketing” system by typing the command ‘getaddress,’ which yields the address entries shown in Table 6 below.

TABLE 6 Address entries for the “marketing” system Name Address NetmaskFlag Comments Trusted Individual Addresses: Inside 0.0.0.0 0.0.0.0 02All trusted Any addresses T-20net 20.1.1.64 255.255.255.128 00 UntrustedIndividual addresses: Outside 0.0.0.0 0.0.0.0 03 All Untrusted AnyAddresses Dial-Up 255.255.255.255 255.255.255.255 03 Dial-Up VPN VPNAddresses Virtual Individual Addresses: All 0.0.0.0 0.0.0.0 12 AllVirtual Virtual Addresses Ips MIP 193.1.1.241 255.255.255.255 10Untrust/200

The user can now retrieve the policies for the “marketing” system bytyping the command ‘get policy’ at the prompt. The get policy commandyields the following two policies for the “marketing” system, shown inTable 7 below.

TABLE 7 Policies for the “marketing” system PID Direction SourceDestination Service Action STLC 0 Incoming Outside MIP HTTP Permit — Any(193.1.1.124) 1 Outgoing t-20net Outside Any Any Permit- — Auth

The configuration file for the “marketing” system virtual system can beobtained by typing ‘get config’ which yields:

Total Config size 1503:

set vsys “marketing”

set vsys-id 1

set auth type 0

set auth timeout 10

set admin name “vsys_marketing”

set admin password nIxrDlr7BzZBcq/LyshENtLt9sLGFn

set interface trust/200 ip 20.1.1.250 255.255.255.0 tag 200

set interface untrust/200 ip 193.1.1.250 255.255.255.0 tag 200

set interface untrust/200 mip 193.1.1.241 host 20.1.1.40 netmask255.255.255.255

set address trust “t-20net” 20.1.1.64 255.255.255.128

set policy id 0 incoming “Outside Any” “MIP(193.1.1.241)” “HTTP” Permit

set policy id 1 outgoing “t-20net” “Outside Any” “ANY” Permit Auth

exit

The root user has now created a virtual system, configured the system,and verified that all the settings are correct. He or she then exits themarketing system, saves the new configuration and the prompt returns tothe root level.

ns1000(marketing)-> exit

Configuration modified, save? [y]/n y

Save System Configuration . . . Done

ns1000>

The current Internet security system settings can now be viewed by theroot user by typing ‘get vsys’, which yields the settings shown in Table8 below. As can be seen the Internet security system now has a marketingsystem and a sales system. The marketing system has one sub-interface,while the sales system has a trusted and an untrusted interface.

TABLE 8 Internet security system settings Sub- Name ID interface VLANIP/Netmask Marketing 1 Trust/200 Trust.200 20.1.1.250/ 255.255.255.0Sales 2 Trust/300 Trust.300 30.1.1.250/ 255.255.255.0 Untrust/200Untrust.200 193.1.1.250/ 255.255.255.0

The description will now continue with showing what a user of a virtualsystem, a “marketing” system, sees and the operations he or she canperform when he logs in to the system. The user logs in with hisusername and password:

login: vsys_marketing

password:

ns1000(marketing)->

To change the policy configuration, the user types ‘get policy’ whichyields the two policies shown in Table 7 above. Now, the user can removethe first policy with the command ‘unset policy 1’ and add a new policyto the “marketing” system by typing

ns1000(marketing)-> set policy outgoing in-any out-any any permit auth

The new policy configuration can be shown by retyping the ‘get policy’command, which yields the policies shown in Table 9 below.

TABLE 9 Modified policies for the “marketing” system PID DirectionSource Destination Service Action STLC 0 Incoming Outside MIP HTTPPermit — Any (193.1.1.124) 2 Outgoing Inside Outside Any Any Permit- —Any Auth

The user can then exit the “marketing” system and save the modifiedpolicies in the same way as the root user exited:

ns1000(marketing)-> exit

Configuration modified, save? [y]/n y

Save System Configuration . . . Done

The above examples only showed how to change a few policies andcomponents. In the Internet security system in accordance with theinvention, the following components can be independently configured in asimilar way to the above example:

Firewall—The firewall device can be configured for each user to includeone or more of the following mechanisms: NAT (Network AddressTranslation), MIP/VIP (Mapped IP, Virtual IP), User authentication, URLBlocking.

Policy—A private policy set can be configured that is applied to trafficfor a particular customer. The private policy can include both incomingand outgoing policies. The policies can use entries from a globaladdress book, a defined private address book, and a global service book.

Traffic management—Each virtual interface can be given a specificbandwidth.

Administration and management—Various functions can be configured foradministration purposes, such as administrator login, mail alert,syslog, counters, logs and alarms.

Virtual LAN—The Virtual LAN can be defined on virtual interfaces withinthe Internet security system. Once the virtual LAN has been defined, thereceived VLAN traffic will be directed to the indicated virtualinterface and traffic destined to the indicated virtual interface willbe properly tagged with a VLAN ID.

VPN—Combined with private policies, the VPN provides secure tunnelingfor selected traffic going through the Internet security system. Thetunneling can be PPTP, L2TP and IPSec.

Routing—Each system may define a private routing table and routingprotocol.

A number of embodiments of the invention have been described.Nevertheless, it will be understood that various modifications may bemade without departing from the spirit and scope of the invention.Accordingly, other embodiments are within the scope of the followingclaims.

What is claimed is:
 1. A system comprising: a device comprising: afirewall to: receive a plurality of sets of firewall policies, each setof firewall policies, of the plurality of sets of firewall policies,being associated with a different virtual private network of a pluralityof virtual private networks; and a controller to: receive a data packet;obtain, from the data packet, layer information that includes layer 2information, layer 3 information, layer 4 information, and layer 7information; search, using the layer 2 information without using thelayer 7 information, a data structure to determine whether the datastructure stores information regarding configuration data of aparticular virtual private network of the plurality of virtual privatenetworks, the data packet being destined for the particular virtualprivate network, the data structure storing information regardingconfiguration data of one or more virtual private networks of theplurality of virtual private networks; when the data structure does notstore the information regarding the configuration data of the particularvirtual private network: search another data structure to determinewhether the other data structure stores the information regarding theconfiguration data of the particular virtual private network,  the otherdata structure being searched using the layer information that includesthe layer 2 information, the layer 3 information, the layer 4information, and the layer 7 information; drop the data packet when thedata structure and the other data structure do not store the informationregarding the configuration data of the particular virtual privatenetwork; identify policies included in the configuration data of theparticular virtual private network when the data structure or the otherdata structure stores the information regarding the configuration dataof the particular virtual private network; determine that the policiesinclude a set of firewall policies, of the plurality of sets of firewallpolicies, associated with the particular virtual private network; causethe firewall to apply, to the data packet, the set of firewall policiesassociated with the particular virtual private network based ondetermining that the policies, associated with the particular virtualprivate network, include the set of firewall policies; and cause thedata packet to be routed toward the particular virtual private networkafter the set of firewall policies has been applied to the data packet.2. The system of claim 1, where the device further comprises an elementto receive a set of authentication policies, where the controller isfurther to cause the element to apply, to the data packet, one or moreauthentication policies, from the set of authentication policies,corresponding to the particular virtual private network, when thepolicies associated with the particular virtual private network includethe one or more authentication policies, and where the one or moreauthentication policies include one or more of: network addresstranslation, a policy associated with mobile Internet protocol, or userauthentication.
 3. The system of claim 1, where the set of firewallpolicies include one or more of incoming policies or outgoing policiesfor the particular virtual private network.
 4. A method performed by adevice, the method comprising: associating, by the device, a set offirewall configuration settings with each of a plurality of virtuallocal area networks; receiving, by the device, a data packet; obtaining,by the device, layer information from the data packet, the layerinformation including layer 2 information, layer 3 information, layer 4information, and layer 7 information; searching, by the device and usingthe 2 layer information without using the layer 7 information, a datastructure to determine whether the data structure stores informationregarding configuration data of a particular virtual local area networkof the plurality of virtual local area networks, the data packet beingdestined for the particular virtual local area network, the datastructure storing information regarding configuration data of one ormore virtual local area networks of the plurality of virtual local areanetworks; when the data structure does not store the informationregarding the configuration data of the particular virtual local areanetwork: searching, by the device, another data structure to determinewhether the other data structure stores the information regarding theconfiguration data of the particular virtual local area network of theplurality of virtual local area networks, the other data structure beingsearched using the layer information including the layer 2 information,the layer 3 information, the layer 4 information, and the layer 7information; dropping, by the device, the data packet when the datastructure and the other data structure do not store the informationregarding the configuration data of the particular virtual local areanetwork; identifying, by the device, information included in theconfiguration data of the particular virtual local area network when thedata structure or the other data structure stores the informationregarding the configuration data of the particular virtual local areanetwork; determining, by the device, that the configuration data of theparticular virtual local area network includes the set of firewallconfiguration settings associated with the particular virtual local areanetwork; processing, by the device, the data packet based on the set offirewall configuration settings, associated with the particular virtuallocal area network, after determining that the configuration data of theparticular virtual local area network includes the set of firewallconfiguration settings associated with the particular virtual local areanetwork; and outputting, by the device, the data packet toward theparticular virtual local area network after processing the data packetbased on the set of firewall configuration settings.
 5. The method ofclaim 4, further comprising: applying a traffic policy to the datapacket, the traffic policy being applied to all data packets processedby the device.
 6. The method of claim 4, further comprising: applyingauthentication policies that include one or more of: network addresstranslation, a policy associated with mobile Internet protocol, a policyassociated with virtual Internet protocol, or user authentication. 7.The method of claim 4, where the set of firewall configuration settings,associated with the particular virtual local area network, includeincoming policies and outgoing policies for a virtual local area networkdestination associated with the particular virtual local area network.8. The method of claim 4, further comprising: determining availableresources for outputting the data packet to the particular virtual localarea network, the resources being definable by a user; and whereoutputting the data packet comprises: outputting the data packet towardthe particular virtual local area network based on the determinedavailable resources.
 9. The method of claim 4, where outputting the datapacket comprises: reading a set of entries in a routing table; andoutputting the data packet to a virtual local area network destination,associated with the particular virtual local area network, using arouting protocol for the virtual local area network destination, the setof entries, in the routing table, being associated with the virtuallocal area network destination.
 10. A system, comprising: a device to:obtain, from a data packet, layer information that includes: layer 2information, layer 3 information, layer 4 information, and layer 7information; search, using the layer information, a first data structureor a second data structure to determine whether the first data structureor the second data structure stores information regarding configurationdata of a particular virtual private network of a plurality of virtualprivate networks, the data packet being destined for the particularvirtual private network, the first data structure or the second datastructure storing information regarding configuration data of one ormore virtual private networks of the plurality of virtual privatenetworks, when searching the first data structure or the second datastructure, the device is to: search the first data structure using thelayer 2 information without using the layer 7 information, and searchthe second data structure using the layer 2 information, the layer 3information, the layer 4 information, and the layer 7 information whenthe first data structure does not store the information regarding theconfiguration data of the particular virtual private network; drop thedata packet when the first data structure and the second data structuredo not store the information regarding the configuration data of theparticular virtual private network; and when the first data structure orthe second data structure stores the information regarding theconfiguration data of the particular virtual private network: identifypolicies included in the configuration data of the particular virtualprivate network; determine that the policies include one or morefirewall policies corresponding to the particular virtual privatenetwork; cause the one or more firewall policies to be applied to thedata packet; dynamically allocate security system resources based oncausing the one or more firewall policies to be applied to the datapacket, the security system resources including firewall servicesassociated with the one or more firewall policies; and route the datapacket to the particular virtual private network after the one or morefirewall policies have been applied to the data packet.
 11. The systemof claim 10, where the device is further to: partition the securitysystem resources into a plurality of separate security domains, each ofthe plurality of separate security domains is to enforce one or morepolicies relating to a corresponding subsystem of subsystems associatedwith the plurality of separate security domains, and dynamicallyallocate the security system resources to a subsystem, of the subsystemsassociated with the plurality of separate security domains, when acorresponding one of the plurality of separate security domains is toenforce the one or more policies relating to the subsystem.
 12. Thesystem of claim 11, further comprising a second device to provide aparticular service domain, the particular service domain is to enforceone or more policies for each of the plurality of separate securitydomains.
 13. The system of claim 12, where the second device includes auser interface for presenting, adding, and modifying policies associatedwith each subsystem, of the subsystems associated with the plurality ofseparate security domains, and the one or more policies associated withthe particular service domain.
 14. The system of claim 12, where theparticular service domain includes a global address book.
 15. The systemof claim 11, where the one or more policies for each subsystem, of thesubsystems associated with the plurality of separate security domains,include one or more: policies for incoming data packets, policies foroutgoing packets, policies for virtual tunneling, authenticationpolicies, traffic regulating policies, or firewall policies.
 16. Thesystem of claim 15, where the policies for virtual tunneling include apolicy associated with one or more tunneling protocols.
 17. The systemof claim 11, where one or more of the plurality of separate securitydomains include a unique address book.
 18. The system of claim 11, wherea particular security domain, of the plurality of separate securitydomains, is associated with the particular virtual private network, andwhere the subsystem, corresponding to the particular security domain,includes a computer network.
 19. The system of claim 11, where aparticular security domain, of the plurality of separate securitydomains, is associated with the particular virtual private network, andwhere the subsystem, corresponding to the particular security domain,includes a device connected to a computer network.
 20. The system ofclaim 11, where each security domain, of the plurality of separatesecurity domains, is associated with a user interface for presenting andmodifying a set of policies relating to a corresponding subsystem. 21.The system of claim 10, where the security system resources furtherinclude authentication services.
 22. The system of claim 10, where thesecurity system resources further include virtual private network (VPN)services.
 23. The system of claim 10, where the security systemresources further include traffic management services.
 24. The system ofclaim 10, where the security system resources further include encryptionservices.
 25. The system of claim 10, where the security systemresources further include one or more of: administrative tools, logging,counting, alarming, notification facilities, or resources for setting upadditional subsystems.
 26. A non-transitory computer-readable mediumstoring instructions, the instructions comprising: a plurality ofinstructions which, when executed by a device, cause the device to:associate a set of firewall configuration settings with each of aplurality of virtual local area networks; receive a data packet; obtainlayer information from the data packet, the layer information includinglayer 2 information, layer 3 information, layer 4 information, and layer7 information; search, using the layer 2 information without using thelayer 7 information, a data structure to determine whether the datastructure stores information regarding configuration data of aparticular virtual local area network of the plurality of virtual localarea networks, the data packet being destined for the particular virtuallocal area network, the data structure storing information regardingconfiguration data of one or more of the plurality of virtual local areanetworks; when the data structure does not store the informationregarding the configuration data of the particular virtual local areanetwork: search another data structure to determine whether the otherdata structure stores the information regarding the configuration dataof the particular virtual local area network of the plurality of localarea networks, the other data structure being searched using the layerinformation including the layer 2 information, the layer 3 information,the layer 4 information, and the layer 7 information; drop the datapacket when the data structure and the other data structure do not storethe information regarding the configuration data of the particularvirtual local area network; identify information included in theconfiguration data of the particular virtual local area network when thedata structure or the other data structure stores the informationregarding the configuration data of the particular virtual local areanetwork; determine that the configuration data of the particular virtuallocal area network includes the set of firewall configuration settingsassociated with the particular virtual local area network; process thedata packet based on the set of firewall configuration settingsassociated with the particular virtual local area network; and outputthe data packet toward the particular virtual local area network afterprocessing the data packet based on the set of firewall configurationsettings.
 27. The non-transitory computer-readable medium of claim 26,the instructions further comprising: one or more instructions to apply atraffic policy to the data packet, the traffic policy being applied toall data packets processed by the device.
 28. The non-transitorycomputer-readable medium of claim 26, the instructions furthercomprising: one or more instructions to apply authentication policiesthat relate to one or more of: network address translation, a policyassociated with mobile Internet protocol, a policy associated withvirtual Internet protocol, or user authentication.
 29. Thenon-transitory computer-readable medium of claim 26, where the set offirewall configuration settings, associated with the particular virtuallocal area network, include incoming policies and outgoing policies fora virtual local area network destination associated with the particularvirtual local area network.
 30. The non-transitory computer-readablemedium of claim 26, the instructions further comprising: one or moreinstructions to determine available resources for outputting the datapacket toward the particular virtual local area network, the resourcesbeing definable by a user, and where one or more instructions, of theplurality of instructions, to output the data packet comprise: one ormore instructions to output the data packet toward the particularvirtual local area network based on the determined available resources.